BFF v4 multi-frontend documentation

Author: Erwinvandervalk

src/content/docs/bff/fundamentals/index.md

@@ -1,3 +1,6 @@
 label: "Multiple frontends"
 collapsed: true
-order: 120
+order: 120
+badge:
+  text: v4
+  variant: tip

src/content/docs/bff/fundamentals/multi-frontend/_meta.yml

@@ -0,0 +1,193 @@
+---
+title: "BFF Configuration"
+description: Documentation for managing BFF configuration
+sidebar:
+  order: 3
+  label: "Configuration"
+
+---
+It's possible to configure the BFF via IConfiguration. 
+
+```csharp {6}
+
+var bffConfig = new ConfigurationBuilder()
+    .AddJsonFile(Path.Combine(AppContext.BaseDirectory, "..", "..", "..", "BffConfig.json"), optional: false, reloadOnChange: true)
+
+services
+  .AddBff()
+  .LoadConfiguration(bffConfig);
+
+```
+
+The configuration supports dynamic reloading (so any new frontend added / removed is immediately reflected). 
+
+### BffConfiguration
+
+- **defaultOidcSettings**
+  OIDC settings applied globally to all frontends unless overridden.  
+  Type: OidcConfiguration object (see below for properties).
+
+- **defaultCookieSettings**
+  Cookie settings applied globally to all frontends unless overridden.  
+  Type: CookieConfiguration object (properties depend on your implementation).
+
+- **frontends**
+  Dictionary of frontend configurations.  
+  Each key is a frontend name, and the value is a BffFrontendConfiguration object (see below).
+
+---
+
+### BffFrontendConfiguration JSON Properties
+
+- **indexHtmlUrl**
+  The URL to the main HTML file for this frontend.  
+  Example: `"https://localhost:5005/static/index.html"`
+
+- **matchingPath**
+  The path prefix for requests routed to this frontend.  
+  Example: `"/from-config"`
+
+- **matchingOrigin**
+  The origin to match for this frontend.  
+  Example: `"https://localhost:5005"`
+
+- **oidc**
+  OIDC settings specific to this frontend.  
+  Type: OidcConfiguration object (see below).
+
+- **cookies**
+  Cookie settings specific to this frontend.  
+  Type: CookieConfiguration object (see below)
+
+- **RemoteApis**
+  Remote api's for this frontend. (see below)
+
+### RemoteApiConfiguration JSON Properties
+
+- **localPath**
+  String. The local path that will be used to access the remote API.  
+  Example: `"/api/user-token"`
+
+- **targetUri**
+  String. The target URI of the remote API.  
+  Example: `"https://localhost:5010"`
+
+- **requiredTokenType**
+  String. The token requirement for accessing the remote API.  
+  Possible values: `"User"`, `"Client"`, `"None"`, `"OptionalUserOrClient"`, `"OptionalUserOrNone"`  
+  Default: `"User"`
+
+- **tokenRetrieverTypeName**
+  String. The type name of the access token retriever to use for this remote API.
+
+- **userAccessTokenParameters**
+  Object. Parameters for retrieving a user access token (see below).
+
+- **activityTimeout**
+  String. How long a request is allowed to remain idle between operations before being canceled.  
+  Use C# `TimeSpan` serialization format, e.g. `"00:01:40"` for 100 seconds.
+
+- **allowResponseBuffering**
+  Boolean. Allows write buffering when sending a response back to the client (if supported by the server).  
+  Note: Enabling this can break server-sent events (SSE) scenarios.
+
+---
+
+### UserAccessTokenParameters JSON Properties
+
+- **signInScheme**
+  String. The scheme used for signing in the user (typically the cookie authentication scheme).  
+  Example: `"Cookies"`
+
+- **challengeScheme**
+  String. The authentication scheme to be used for challenges.  
+  Example: `"OpenIdConnect"`
+
+- **forceRenewal**
+  Boolean. Whether to force renewal of the access token.
+
+- **resource**
+  String. The resource for which the access token is requested.  
+  Example: `"https://api.example.com"`
+
+
+### OidcConfiguration JSON Properties
+
+- **clientId**
+  The client ID of the OpenID Connect client.
+
+- **clientSecret**
+  The client secret of the OpenID Connect client.
+
+- **callbackPath**
+  The path or URI to which the OpenID Connect client will redirect after authentication.
+
+- **authority**
+  The authority URI, typically the issuer or identity provider endpoint.
+
+- **responseType**
+  The response type that the OpenID Connect client will request.
+
+- **responseMode**
+  The response mode that the OpenID Connect client will use to return the authentication response.
+
+- **mapInboundClaims**
+  Boolean. Whether to map inbound claims from the OpenID Connect provider to the user's claims in the application.
+
+- **saveTokens**
+  Boolean. Whether to save the tokens received from the OpenID Connect provider.
+
+- **scope**
+  Array of strings. The scopes that the OpenID Connect client will request from the provider.
+
+- **getClaimsFromUserInfoEndpoint**
+  Boolean. Whether to retrieve claims from the UserInfo endpoint of the OpenID Connect provider.
+
+### CookieConfiguration JSON Properties
+
+- **httpOnly**
+  Boolean. Indicates whether the cookie is inaccessible by client-side script. Defaults to true. 
+
+- **sameSite**
+  String. The SameSite attribute of the cookie.  Defaults to strictg.  
+  Possible values: `"None"`, `"Lax"`, `"Strict"`
+
+- **securePolicy**
+  String. The policy used to determine if the cookie is sent only over HTTPS.  
+  Possible values: `"Always"`, `"None"`, `"SameAsRequest"`
+
+- **name**
+  String. The name of the cookie.
+
+- **maxAge**
+  String. The max-age for the cookie. 
+  Example: "0:01:00 for 1 minute
+
+- **path**
+  String. The cookie path. The BFF will configure the default values for this property. 
+  Example: `"/"`
+
+- **domain**
+  String. The domain to associate the cookie with. The BFF will configure the default values for this property.  
+  Example: `"example.com"`
+
+### Example
+
+```json
+{
+  "defaultOidcSettings": {
+    "clientId": "global-client",
+    "authority": "https://login.example.com"
+  },
+  "defaultCookieSettings": null,
+  "frontends": {
+    "some_frontend": {
+      "indexHtmlUrl": "https://localhost:5005/static/index.html",
+      "matchingPath": "/from-config",
+      "oidc": {
+        "clientId": "frontend1-client",
+        "scope": ["openid", "profile", "email"]
+      }
+    }
+  }
+}

src/content/docs/bff/fundamentals/multi-frontend/configuration.mdx

@@ -7,4 +7,100 @@ sidebar:
 
 ---
 
-asdf
+The Backend For Frontend pattern basically states that there should 
+be a single backend for each frontend. While for some applications / architectures this
+makes a lot of sense, because there is a 1-to-1 mapping between the api surface
+and the browser based application, for some other architectures this may not be useful.
+
+Especially in micro-service based architectures, where there are many backend api's 
+and multiple frontends using these apis, having a dedicated backend service for each frontend
+introduces quite a lot of operational overhead. 
+
+To overcome this issue, a single BFF instance can support multiple frontends. Each frontend you configure can:
+* Define it's own OpenID Connect configuration
+* Define it's own Cookie settings
+* Define it's own api surface
+* Be identified either via path based routing and/or origin selection. 
+
+Adding additional frontends to the BFF has very little impact on the performance on the BFF itself, but keep in mind
+that the traffic for all the frontends is proxied through the bff. 
+
+## Frontend selection
+
+Each request to a frontend has to be uniquely defined by either it's path, it's origin or a combination of the two. 
+If you specify neither, then it's considered the default frontend. 
+
+Frontends are matched using the following algorithm:
+
+1. **Selection by both origin and path:** If there is a frontend that matches both the origin AND has the most specific match to a path, then it's selected. 
+2. **Selection by origin only:** Then if there is a frontend with only origins configured and it matches the path, then it's selected. 
+3. **Selection by path only:** Then if there is a frontend with a matching path specified, then it's selected. 
+4. **Default frontend:** Then if there is a default frontend configured, then it's selected.  
+
+Basically, the most specific match will be selected. 
+
+:::note
+When using path based routing, then the frontend's path is added to the [PathBase](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.pathbase) 
+and removed from the [Path](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.http.httprequest.path). This means that any routing
+that happens in the application is relative to the path of the frontend. This also includes the openid callback paths. 
+:::
+
+## Adding a frontend during startup
+
+The simplest way to add frontends is during startup. 
+
+```csharp {3}
+services
+    .AddBff()
+    .WithFrontends(new BffFrontend(BffFrontendName.Parse("frontend1")));
+```
+You can call WithFrontends with multiple frontends in one go, or call it multiple times. 
+
+## Adding / updating a frontend dynamically at runtime
+
+If you want to manipulate the frontends at runtime, you can do so via the IFrontendCollection interface. 
+
+```csharp
+var frontends = app.Services.GetRequiredService<IFrontendCollection>();
+
+frontends.AddOrUpdate(new BffFrontend(name));
+
+frontends.Remove(name);
+```
+
+## Defining the api surface
+
+A frontend can define it's own api surface, by specifying remote api's. 
+
+```csharp
+
+var frontend = new BffFrontend(BffFrontendName.Parse("frontend1"))
+   .WithRemoteApis(
+      // map the local path /path to the remote api
+      new RemoteApi(LocalPath.Parse("/some_path"), new Uri("https://remote-api")))
+
+      // You can also configure various options, such as the type of token,
+      // retrieval parameters, etc.. 
+      new RemoteApi(LocalPath.Parse("/with_options"), new Uri("https://remote-api")))
+        .WithAccessToken(RequiredTokenType.UserOrClient),
+        .WithAccessTokenRetriever<ImpersonationAccessTokenRetriever>(),
+        .WithUserAccessTokenParameters(new BffUserAccessTokenParameters { Resource = Resource.Parse("urn:isolated-api") }));
+```
+
+See the topic on [Token Management](../tokens.md) for more information about the various token management options. 
+
+## Index HTML proxying
+
+When deploying a multi-frontend bff, it makes most sense to have the frontend's configured with an 
+Index.HTML file that's retrieved from a CDN. 
+
+```csharp
+
+var frontend = new BffFrontend(BffFrontendName.Parse("frontend1"))
+   .WithIndexHtml(new Uri("https://my_cdn/some_app/index.html"))
+```
+
+When you do this, the BFF automatically wires up a catch-all route that serves the index.html for that specific frontend. 
+See [Serve the index page from the BFF host](../../architecture/ui-hosting.md#serve-the-index-page-from-the-bff-host) for more information. 
+
+

src/content/docs/bff/fundamentals/multi-frontend/index.mdx

@@ -42,6 +42,18 @@ builder.Services.AddBff(options =>
 
     The ASP.NET environment names that enable the diagnostics endpoint. Defaults to "Development".
 
+* ***BackChannelHttpHandler*** 
+    A HTTP message handler that's used to configure backchannel communication. Typically used during testing. Configuring this will automatically configure the BackChannelHttpHandler property in _OpenIDConnectOptions_ and also set it as the primary http message handler for retrieving the index.html. 
+
+* ***AutomaticallyRegisterBffMiddleware*** (added in 4.0)
+    When applying BFF V4 multiple frontends, a lot of middlewares get automatically added to the pipeline. For example, the frontend selection middleware, the authentication handlers, etc. If you don't want this automatic behavior, then you can turn it off and register these middlewares manually. 
+
+* ***IndexHtmlClientName***
+    If BFF is configured to automatically retrieve the index.html, then it needs a http client to do so. With this name you can automatically configure http client in the http client factory. 
+
+* ***AllowedSilentLoginReferers*** 
+    For silent login to work, you normally need to have the BFF backend and the frontend on the same origin. If you have a split host scenario, meaning the backend on a different origin (but same site) as the frontend, then you can use the referer header to differentiate which browser window to post the silent login results to. This array must then contain the list of allowed referer header values. 
+
 ## Paths
 
 * ***LoginPath***
@@ -95,12 +107,14 @@ builder.Services.AddBff(options =>
     If *true*, all sessions for the subject will be revoked. If false, just the specific session will be revoked.
     Defaults to *false*.
 
-* ***EnableSessionCleanup***
+* ***~~EnableSessionCleanup~~*** (removed in V4)
 
     Indicates if expired server side sessions should be cleaned up.
     This requires an implementation of IUserSessionStoreCleanup to be registered in the ASP.NET Core service provider.
     Defaults to *false*.
 
+    In V4, you need to opt into this value by calling **.AddSessionCleanupBackgroundProcess()**
+
 * ***SessionCleanupInterval***
 
     Interval at which expired sessions are cleaned up.
@@ -129,6 +143,9 @@ builder.Services.AddBff(options =>
     a new Access Token fails. This behavior is only triggered when proxying requests to remote
     APIs with TokenType.User or TokenType.UserOrClient. Defaults to True. 
 
+* ***DisableAntiForgeryCheck*** (added in V4)
+    A delegate that determines if the anti-forgery check should be disabled for a given request. The default is not to disable anti-forgery checks.
+
 
 # BFF Blazor Server Options